Category Archives: Potential Risk of CVE

Insufficient Input Validation – Intel Distribution for Python (IDP) – Jul 2018

Mozilla’s bleach library is a security-related library. The design goals of Bleach is to sanitize input of malicious content. Furthermore it let software developer safely create links.

IPython is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language, that offers introspection, rich media, shell syntax, tab completion, and history.

Given a fragment of HTML, Bleach will parse it according to the HTML5 parsing algorithm and sanitize any disallowed tags or attributes.

But Intel announce the following statement in Jul 2018 (see below):

Synopsis – Insufficient Input Validation in Bleach module in Intel® Distribution for Python (IDP) version IDP 2018 Update 2 potentially allows an unprivileged user to bypass URI sanitization and cause a Denial of Service via local vector.

Any interest? Perhaps you have this domain knowledge. Should you have interest, please refer below hyperlink.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00129.html

Aug 2018 – Do not contempt this vulnerability (CVE-2018-5390)

The hardware vendors deploy Linux OS on demand growth. Even though your firewall appliances, malware detector, load balancer, network L2 and L3 switch and IoT devices are the Linux. The attacker found a tricks recently. If source device feeds tiny packets completely out of order. The parameter (tcp_collapse_ofo_queue()) might scan the whole rb-tree. As a result , attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. I think the specfiy vulnerability we can not contempt. The worst case is that attacker is possible to conduct denial of services on non-patch hardware appliances and IoT devices.
In the meantime, we are waiting for hardware vendor responses?

US CERT official announcement shown as below:

Linux Kernel TCP implementation vulnerable to Denial of Service

Original Release date: 06 Aug 2018 | Last revised: 06 Aug 2018

https://www.kb.cert.org/vuls/id/962459

1st Aug 2018 – Cisco Secuirty Advisory CVE-2018-0391

Cisco Prime Collaboration Provisioning provides a scalable web-based solution to manage your company’s next-generation communication services. CiscoPrimeCollaboration Provisioning manages IPcommunication endpoints and services in an integrated IP telephony, video, voicemail and unified messaging environment
that includes Cisco Unified Communications Manager, Cisco Unified Communications  Manager Express, Cisco Unity Express, Cisco Unity Connection systems and analog gateways.

But the technical issue on authentication especially password looks can’t been resolved yet! I am not going to move the focus to conspiracy topic somethings like backdoor rumours. From technical point of view, the architecture relies on https. Refer to attached diagram, whether any similar architecture there and trigger traditional service ID issue. Since the traditional service ID on web will be store in someplace and it is hardcode.
Offical announcement shown below URL:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180801-pcp-dos

Apache OpenWhisk security alert ! Jul 2018

The world is on the way go to robotics automation skeleton. No only the factory, even though software deployment is included. Although you don’t believe this is the prelude. Not a coincidence.But we can’t evade this industries revolution.

The artificial intelligence work status depends on what type of issue encounters. The zero day (vulnerability) similar man kind tumor. The infectious diseases of computer are the malware and computer virus infection.

Go deep to the subject (Apache OpenWhisk security alert).

Function as a service (FaaS) is a category of cloud computing services that provides a platfor allowing customers to develop, run, and manage application functionalities without the complexity of building and maintaining the infrastructure typically associated with developing and launching an OS and software application.

An open source project driven by IBM and Adobe, Apache OpenWhisk is a robust Functions-as-a-Service (FaaS) platform that can be deployed in the cloud or within the data center. Apache OpenWhisk now supports the PHP runtime.

There are total two items of vulnerabilities confirm on apache openwhisk product this month.

CVE-2018-11756 – https://github.com/apache/incubator-openwhisk-runtime-php/commit/6caf902f527250ee4b7b695929b628d560e0dad1

CVE-2018-11757 – https://github.com/apache/incubator-openwhisk-runtime-docker/commit/891896f25c39bc336ef6dda53f80f466ac4ca3c8

2018-07-18 – Jenkins Security Advisory

Jenkins is the leading open-source automation server. Built with Java, it provides over 1000 plugins to support automation. Is it a robot?

Basically, Jenkins is commonly used for building projects, running tests to detect bugs and other issues as soon as they are introduced, static code analysis and deployment.

For instance combining Jenkins and Docker together can bring improved speed and consistency to your automation tasks.

That is you can configure Jenkins to build Docker Images based on a Dockerfile. You can use Docker within a CI/CD pipeline, using Images as a build artefact that can be promoted to different environments and finally production. Usually, the freestyle automated job can create to accomplish a specific task in the CI pipeline, it can be compile the code, run integration tests or deploy application.

Remark:

A complete CI pipeline is made up of three major parts: Integration: Build code and run unit tests.

Delivery: Deploy your application to a staging or production environment.

If Jenkins is sick (vulnerabilities) today? Any worries about that?

An official announment state the following: https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390

 

CYBER SECURITY ADVISORY – Panel Builder 800,Improper input validation vulnerability (CVE-2018-10616)

Retrospectively cyber attack encountered on Nuclear power facility in past. The SCADA system facilities vendor are working hard to hardening their device and provided cyber security advisory. An cyber security alert announced by ABB that a software engineering tool for configure Panel 800 has vulnerability occurs. ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used. However the vulnerabilites indicated that theattacker could create a specially crafted file and try to trick a person using the Panel Builder 800 to open this file (see below hyperlink – technical note)

http://search-ext.abb.com/library/Download.aspx?DocumentID=3BSE092089&Action=Launch

Perhaps the techincal limitation sometimes was happened in their fundemental design. See Alert B in attached diagram. Since panel 800 is a Intel CPU base with Windows CE OS. My concern is that It is not known whether Intel XScale or Marvell Feroceon cores are affected by these issues (Meltdown and Spectre)? But no worries, tomorrow will be a better day!

 

26th Jul 2018 – CVE-2018-1046 (POWERDNS)

Cyber attack wreak havoc, perhaps this is a digital world. We focus cyber attacks happens in company and personal workstation in past decade. The smartphones and IoT devices market coverage bigger than hardward devices in business world. From business point of view, it is a good oppuntunities. The telcom services providers will be more business growth. Meanwhile the cyber security attacks looks like a heavy burden in their business operations.

DNS services is the major components of internet server. Their services similar a phone book.

f you are the customer of PowerDNS, you must be stay alert! For more details, please see below reference (Hyperlink):

PDNS before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution. This buffer overflow only occurs when the -ecs-stamp option of dnsreplay is used.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1046

Security Advisory for Vulnerabilities in QNAP (Q’center) Virtual Appliance – Jul 2018

QNAP’s Network Attached Storage(NAS) is the friend from SME users. Even thought IT Dept, they are also satisfy with NAS. Since the price is affordable and provides plug and play function. It is common that NAT on firewall will be deploy with Hide NAT. As a result your QNAP’s will be receive the new patch update. At the same time it benefits to hacker once vulnerability occurs.

Please remind that you have to create firewall rule deny NAS go to internet at this moment.

It is better to do the remediation now. See below:

https://www.qnap.com/zh-tw/security-advisory/nas-201807-10

25th JUl 2018 – Malicious Cyber Activity Targeting ERP Applications (Stay alert!)

 

A consulting firm observe that the abuse of the SAP Invoker Servlet rapidly increase (built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms)). The fact is that customer may not aware or encounter technical difficulties to remediate a former vulnerability. May be a new attack (former vulnerability + Zero day) let the risk happens.

Quick step of remediation in the moment:

1. Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.

2. Analyze systems for malicious or excessive user authorizations.

3. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

4. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

Should you have interest of the report. You can go to this place to download.

https://www.onapsis.com/research/reports/erp-security-threat-report

 

23rd Jul 2018 – Bluetooth vulnerability

Elliptic Curve Diffie Hellman (ECDH) make man in the middle attack difficult since hacker would not be able to find out the shared secret and therefore it looks secure. The public keys are either static (and trusted, say via a certificate) or ephemeral (also known as ECDHE, where final ‘E’ stands for “ephemeral”). Ephemeral keys are temporary and not necessarily authenticated, so if authentication is desired, authenticity assurances must be obtained by other means. Authentication is necessary to avoid man-in-the-middle attacks. The truth is that similar type of setup has vulnerability occurs.Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange.

Reference: Vulnerability Note VU#304725 Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchangehttps://www.kb.cert.org/vuls/id/304725